Process 1: Determine Areas Requiring Policy

A key activity in Policy is the process of aligning the goals of the IT organization to those of the overall business, then using that information to decide which areas need to have policies created. Organizational goals should be evaluated to determine possible risks. The impact of risks can be evaluated by considering what might happen if the expectations surrounding that risk are not made clear to everyone in the organization. If an identified risk and its impact stand in the way of achieving a goal, then it will likely need to be addressed by a policy. In this way, management establishes clear guidelines that help ensure desired performance, fitting checks and balances*, and appropriate workplace interactions.

The following table lists the activities involved in this process. These activities include:

Consider the impact of not having policy in place to address the identified risks and impacts to organizational goals. Legal advisors may provide input for considerations of having or not having policy covering a given area.

Out of the identified goals, select specific goals to support with policy that will either fit with the existing organizational culture or will transform the culture in a desired direction.

Discuss your strategy and its implications with executives. Ensure that senior management provides a strong, clear sign-off that will communicate policy direction to the organization. This helps establish the “tone at the top.”

Assess current state

Key questions:

How effective are our current policies and procedures?

Are there any audit issues that reflect ineffective, inappropriate, or non-existent policies?

Does the current portfolio of applications and systems comply with the intent of our policies?

Inputs:

Risk analysis from all IT service lifecycle phases captured in the risk knowledge base

IT strategic goals statement

Current IT portfolio

Service reviews

Outputs:

Documented current state of policies

Best practices:

Ensure that key users and stakeholders are personally interviewed—ask them what is working well, what needs improvement, and what future policies they would like to see.

To help both assess the current state and start planning for the future state, suggest that interviewees think at least two years out. If nothing changes in terms of policy, what problems do they foresee? The answers might reveal current inadequacies in policy. Then ask them how policy will need to change to take into account not just regulatory and technological changes, but the strategic direction of the organization as well as potential changes in their industry or market.

Envision future state

Key questions:

What are current best practices?

Where is the technology going?

What are the resource limitations on the business?

Inputs:

Analyst reports

Budgets

Best practice reports

Outputs:

Gap analysis between current state and envisioned future state

Metrics

Formal prioritization of future state

Best practices:

Consider whether the future state is financially worthwhile—whether it’s better to put resources toward filling gaps in policies, or to just leave the gaps. Make sure to get opinions from the legal department and upper management.

Keep a record of the decision-making process—leave an audit trail.

Perform gap analysis

Key questions:

What is the gap between our current state and our desired future state?

Is gap closure realistic?

Inputs:

Future state document

Budgets

Best practice reports

Outputs:

Gap report

Best practices:

Ensure that the gap analysis includes an evaluation of risk.

Do not make general policies overly restrictive or they will likely be ignored. Describe desired outcomes, not just prohibited activity.

Consider instituting role-based policies that can be “tuned” (made more or less restrictive) according to specific job functions.